Risk Configuration

Ketryx allows full customization of risk matrices, risk field values, and risk evaluation logic to align with your organization's risk management methodology.

This page acts as a reference for all the various configurations possible beyond the default risk setup described in MAN-08 Risk Management.

How to configure

Risk configuration can be set at two levels:

Organization level - Affects all projects in the organization (requires organization owner permissions) Project level - Scopes configuration to a specific project and overrides organization settings (requires project management permissions)

Navigate to Advanced Settings and configure the individual risk configuration fields. Each field accepts valid JSON structures. If a field is not configured, system defaults are used.

Configuring probability and severity values

Before defining risk matrices, you must first configure the available values for probability, severity, and risk evaluation fields. These values serve as the building blocks that will be referenced in your matrix configurations.

Important: All values used in your risk matrices must be defined in these configuration fields first or you will encounter unexpected behavior when working on your Risks.

Warning: If these fields are mapped to Jira custom fields via Field names configuration, changes will affect the global Jira field configuration.

Structure

Each value can include optional color coding for visual distinction:

[
  {
    "name": "Low",
    "hexColor": "39A31A",
    "fontHexColor": "EBFFE4"
  },
  {
    "name": "Medium",
    "hexColor": "D08300",
    "fontHexColor": "FFF7E4"
  },
  {
    "name": "High",
    "hexColor": "B50531",
    "fontHexColor": "FFEDF3"
  }
]

Probability values

Configure the following fields to define your probability scales:

• Initial Occurrence Probability - P1 values (typically, the likelihood of the hazardous situation occurring)

• Initial Harm Probability - P2 values (typically, the likelihood of harm given the hazardous situation)

• Initial Total Probability - P0 values (combined probability result)

• Residual Occurrence Probability - Post-mitigation P1 values

• Residual Harm Probability - Post-mitigation P2 values

• Residual Total Probability - Post-mitigation P0 values

Example for a 5-level probability scale:

Severity values

Configure severity scales for both initial and residual risk assessment:

• Initial Severity - Pre-mitigation severity scale

• Residual Severity - Post-mitigation severity scale

Example for a 5-level severity scale:

Risk evaluation values

Risk evaluation values include an acceptability indicator that determines whether risks require mitigation:

• Initial Risk Acceptability Evaluation - Pre-mitigation risk levels

• Residual Risk Acceptability Evaluation - Post-mitigation risk levels

Example for a 5-level evaluation scale:

Configuring risk matrices

Once probability and severity values are defined, configure the four evaluation matrices that determine risk calculations. These matrices map the relationships between your configured values.

Important: All possible combinations must be defined. Missing combinations will cause unexpected behavior.

Available matrices

• Initial Total Probability matrix - Maps P1 (occurrence) × P2 (harm) = P0 (total probability)

• Initial Risk Evaluation matrix - Maps P0 × Severity = Risk Evaluation

• Residual Total Probability matrix - Post-mitigation probability calculation

• Residual Risk Evaluation matrix - Post-mitigation risk evaluation

Matrix structure

Matrices follow this JSON structure, where row and column values must exactly match the values defined in your probability and severity configurations (above):

Example: Initial Total Probability Matrix

This maps occurrence probability (rows) and harm probability (columns) to total probability values:

Example: Initial Risk Evaluation Matrix

This maps total probability (rows) and severity (columns) to risk evaluation values:

Configuring other risk field options

Customize dropdown options for various risk fields to match your risk management vocabulary.

Warning: If these fields are mapped to Jira custom fields via Field names configuration, changes will affect the global Jira field configuration.

Hazards

Define the types of potential sources of harm:

Hazardous situations

Define circumstances where patients are exposed to hazards:

Harms with default severity

Harms can optionally include an associated initial severity that auto-populates when selected:

When strict mode is enabled with "Require harm and initial severity selection", users must select from these predefined harms and cannot override the associated severity.

Event sequences and steps

Define templates for sequence of events that lead from hazard to harm:

Additional field configurations

• Hazard Types - Categories of hazards (Electrical, Mechanical, Software, etc.)

• System Categories - System components involved (Hardware, Software, Environment)

• Risk Assessment Methodologies - Methods used (FMEA, FTA, HAZOP)

Warning: If these fields are mapped to Jira custom fields via Field names configuration, changes will affect the global Jira field configuration.

Hazard type-specific configuration

Override matrices for specific hazard types to provide more granular risk evaluation:

When a user selects a hazard type with an associated configuration, those matrices override the default matrices for that specific risk.

Custom risk type configuration

For organizations managing multiple risk types (e.g., patient risks vs. cybersecurity risks), configure type-specific settings:

Strict mode interactions

When the following settings are enabled on the Project Settings page:

With "Require harm and initial severity selection"

• Only harms defined in configuration can be selected

• Initial severity is automatically set based on harm's defaultInitialSeverity

• Users cannot override the associated severity

With "Require derived risk analysis fields"

• Risk acceptability is enforced from matrices, without the ability to change it manually

With "Require hazard/hazardous situation selection"

• Free text entry is disabled

• Only pre-configured values can be selected

Configuration hierarchy

Ketryx applies configurations in order of specificity:

1. Project level + Custom risk type + Hazard type specific

2. Project level + Custom risk type

3. Project level + Hazard type specific

4. Project level general

5. Organization level (same hierarchy as above)

6. System defaults

The most specific applicable configuration always takes precedence.

Best Practices

1. Define all probability and severity values before creating matrices

2. Ensure all matrix combinations are defined

3. Test configuration changes in a sandbox project first